default-permissions for permissive signature spoofing

commit: 38ae44659d8c8355b428cf16e8f686d93dfbc87f [log] [tgz]
author: Philip Nagler-Frank <philip@nagler.world> Thu Feb 24 20:53:25 2022 +0100
committer: Philip Nagler-Frank <philip@nagler.world> Thu Feb 24 20:53:43 2022 +0100
tree: 6446a77f9a3b118b4fbf9890d7c1a0c232be0002
parent: ea323e9f915d3c0511ce33558dac8d6c9cf3a612 [diff]
diff --git a/FakeStore/Android.mk b/FakeStore/Android.mk
index deef00f..939850b 100644
--- a/FakeStore/Android.mk
+++ b/FakeStore/Android.mk

@@ -9,6 +9,13 @@
 include $(BUILD_PREBUILT)
 
 include $(CLEAR_VARS)
+LOCAL_MODULE := default-permissions-com.android.vending.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT_ETC)/default-permissions
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+include $(BUILD_PREBUILT)
+
+include $(CLEAR_VARS)
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE := FakeStore
 LOCAL_SRC_FILES := FakeStore.apk
@@ -16,7 +23,7 @@
 LOCAL_PRIVILEGED_MODULE := true
 LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
 LOCAL_CERTIFICATE := PRESIGNED
-LOCAL_REQUIRED_MODULES := privapp-permissions-com.android.vending.xml
+LOCAL_REQUIRED_MODULES := privapp-permissions-com.android.vending.xml default-permissions-com.android.vending.xml
 LOCAL_PRODUCT_MODULE := true
 include $(BUILD_PREBUILT)
 

diff --git a/FakeStore/default-permissions-com.android.vending.xml b/FakeStore/default-permissions-com.android.vending.xml
new file mode 100644
index 0000000..01f6aa2
--- /dev/null
+++ b/FakeStore/default-permissions-com.android.vending.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<exceptions>
+    <exception package="com.android.vending">
+        <!-- for permissive signature spoofing, where the permission is "dangerous" -->
+        <permission name="android.permission.FAKE_PACKAGE_SIGNATURE" fixed="false"/>
+    </exception>
+</exceptions>

diff --git a/FakeStore/privapp-permissions-com.android.vending.xml b/FakeStore/privapp-permissions-com.android.vending.xml
index 82f0402..1c718df 100644
--- a/FakeStore/privapp-permissions-com.android.vending.xml
+++ b/FakeStore/privapp-permissions-com.android.vending.xml

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <permissions>
     <privapp-permissions package="com.android.vending">
+        <!-- for restrictive signature spoofing, where the permission is "signature|privileged" -->
         <permission name="android.permission.FAKE_PACKAGE_SIGNATURE"/>
     </privapp-permissions>
 </permissions>

diff --git a/GmsCore/Android.mk b/GmsCore/Android.mk
index 2d40004..b05efd8 100644
--- a/GmsCore/Android.mk
+++ b/GmsCore/Android.mk

@@ -9,6 +9,13 @@
 include $(BUILD_PREBUILT)
 
 include $(CLEAR_VARS)
+LOCAL_MODULE := default-permissions-com.google.android.gms.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT_ETC)/default-permissions
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+include $(BUILD_PREBUILT)
+
+include $(CLEAR_VARS)
 LOCAL_MODULE := sysconfig-com.google.android.gms.xml
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_CLASS := ETC
@@ -25,7 +32,7 @@
 LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
 LOCAL_CERTIFICATE := PRESIGNED
 LOCAL_OVERRIDES_PACKAGES := com.qualcomm.location
-LOCAL_REQUIRED_MODULES := privapp-permissions-com.google.android.gms.xml sysconfig-com.google.android.gms.xml
+LOCAL_REQUIRED_MODULES := privapp-permissions-com.google.android.gms.xml default-permissions-com.google.android.gms.xml sysconfig-com.google.android.gms.xml
 LOCAL_PRODUCT_MODULE := true
 include $(BUILD_PREBUILT)
 

diff --git a/GmsCore/default-permissions-com.google.android.gms.xml b/GmsCore/default-permissions-com.google.android.gms.xml
new file mode 100644
index 0000000..de75ff1
--- /dev/null
+++ b/GmsCore/default-permissions-com.google.android.gms.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<exceptions>
+    <exception package="com.google.android.gms">
+        <!-- for permissive signature spoofing, where the permission is "dangerous" -->
+        <permission name="android.permission.FAKE_PACKAGE_SIGNATURE" fixed="false"/>
+        
+        <!-- work around https://source.android.google.cn/setup/start/android-12-release?hl=en#system-alert-window-restrictions ? -->
+        <permission name="android.permission.SYSTEM_ALERT_WINDOW" fixed="false"/>
+    </exception>
+</exceptions>

diff --git a/GmsCore/privapp-permissions-com.google.android.gms.xml b/GmsCore/privapp-permissions-com.google.android.gms.xml
index 068be89..33b9554 100644
--- a/GmsCore/privapp-permissions-com.google.android.gms.xml
+++ b/GmsCore/privapp-permissions-com.google.android.gms.xml

@@ -1,9 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <permissions>
     <privapp-permissions package="com.google.android.gms">
+        <!-- for restrictive signature spoofing, where the permission is "signature|privileged" -->
         <permission name="android.permission.FAKE_PACKAGE_SIGNATURE"/>
+
         <permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
         <permission name="android.permission.CHANGE_DEVICE_IDLE_TEMP_WHITELIST"/>
         <permission name="android.permission.UPDATE_APP_OPS_STATS"/>
-</privapp-permissions>
+    </privapp-permissions>
 </permissions>
commit	38ae44659d8c8355b428cf16e8f686d93dfbc87f	[log] [tgz]
author	Philip Nagler-Frank <philip@nagler.world>	Thu Feb 24 20:53:25 2022 +0100
committer	Philip Nagler-Frank <philip@nagler.world>	Thu Feb 24 20:53:43 2022 +0100
tree	6446a77f9a3b118b4fbf9890d7c1a0c232be0002
parent	ea323e9f915d3c0511ce33558dac8d6c9cf3a612 [diff]